Product
CVE-2026-60102 describes an OS command injection vulnerability in the Horde Virtual File System (VFS) API before version 3.0.1, specifically within the Horde_Vfs_Smb driver, which allows authenticated attackers to inject arbitrary shell commands via user-controlled filenames during file operations, leading to arbitrary command execution on the underlying system.